Bug 331 - User authentication fails "NT_STATUS_NO_LOGON_SERVERS (PAM: 4)"
Summary: User authentication fails "NT_STATUS_NO_LOGON_SERVERS (PAM: 4)"
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.0preX
Hardware: All Solaris
: P3 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-08-20 07:49 UTC by Brian King
Modified: 2005-11-14 09:24 UTC (History)
0 users

See Also:

Attachments
winbind -d10 (50.94 KB, text/plain)
2003-08-20 07:54 UTC, Brian King 		no flags Details
smbd -d10 (74.39 KB, text/plain)
2003-08-20 08:01 UTC, Brian King 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brian King 2003-08-20 07:49:37 UTC 
First, I may have attributed this to the wrong "component", I'm not sure where 
this is going wrong.

I can authenticate to the UNIX share (using ADS security) from a win2K client 
for a short time after samba is restarted, but eventually (within a couple of 
hours) I start getting the windows message "there are currently no logon 
servers available to service the logon request".

I have found that a "net ads join" makes the problem go away without restarting 
samba. I am currently using the CVS code from 2003-08-18 plus the winbind patch 
from bug 282.

I will be attaching debug 10 logs shortly.
Comment 1 Brian King 2003-08-20 07:54:01 UTC 
Created attachment 90 [details]
winbind -d10

Items of note in the attachment:

SNB-FTON-AD1 = the primary AD server
SNB-FTON-DBS8 = the Unix server
SNB-FTON-BMC1 = the win2k client
SNB.CA = the AD realm
MYGROUP = the workgroup line from smb.conf

"could not open handle to NETLOGON pipe"
Comment 2 Brian King 2003-08-20 08:01:46 UTC 
Created attachment 91 [details]
smbd -d10

Items of note:

[2003/08/20 11:29:10, 10] lib/gencache.c:gencache_get(285)
  Cache entry with key = TDOM/SNB couldn't be found
[2003/08/20 11:29:10, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(172)
  no entry for trusted domain SNB found.

... First occurance of MYGROUP instead of SNB ...
[2003/08/20 11:29:10, 10] lib/gencache.c:gencache_get(285)
  Cache entry with key = TDOM/SNB couldn't be found
[2003/08/20 11:29:10, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(172)
  no entry for trusted domain SNB found.

...
[2003/08/20 11:29:10, 5] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: winbind authentication for user [xbking] FAILED with
erro
r NT_STATUS_NO_LOGON_SERVERS
[2003/08/20 11:29:10, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:	Authentication for user [xbking] -> [xbking] FAILED
with
 error NT_STATUS_NO_LOGON_SERVERS

...

[2003/08/20 11:29:10, 5] auth/auth_util.c:make_user_info_map(216)
  make_user_info_map: Mapping user [SNB]\[xbking] from workstation
[SNB-FTON-BMC
1]
[2003/08/20 11:29:10, 10] lib/gencache.c:gencache_get(285)
  Cache entry with key = TDOM/SNB couldn't be found
[2003/08/20 11:29:10, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(172)
  no entry for trusted domain SNB found.
...
[2003/08/20 11:29:10, 3] auth/auth.c:check_ntlm_password(216)
  check_ntlm_password:	Checking password for unmapped user
[SNB]\[xbking]@[SNB-
FTON-BMC1] with the new password interface
[2003/08/20 11:29:10, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:	mapped user is: [MYGROUP]\[xbking]@[SNB-FTON-BMC1]

...
[2003/08/20 11:29:55, 2] smbd/server.c:exit_server(558)
  Closing connections
[2003/08/20 11:29:55, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2003/08/20 11:29:55, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does not
exist
.
Comment 3 Brian King 2003-08-20 08:05:25 UTC 
Also interesting.

smbclient -k \\\\snb-fton-dbs8\\public
(from a remote UNIX machine)

works while connecting from the win2k box with the same AD/kerberos credentials 
gives the "no logon servers" message.
Comment 4 Brian King 2003-08-20 12:03:42 UTC 
More strangeness that appears to be related.
I've used 'setfacl' to allow 2 groups access to a directory/share.

bash-2.05# 
getfacl /oracle/app/oracle/admin/planet/P2900AT/files/planetexternaldata

# file: /oracle/app/oracle/admin/planet/P2900AT/files/planetexternaldata
# owner: oracle
# group: MYGROUP\planet-external-data-mt
user::rwx
group::r-x              #effective:r-x
group:MYGROUP\planet-map-admin-mt:rwx               #effective:r-x
mask:r-x
other:r-x

When I assigned the facls, it said 'SNB' where it says MYGROUP above.
After I stop and start 'nscd', a getfacl shows the correct info again:

bash-2.05# 
getfacl /oracle/app/oracle/admin/planet/P2900AT/files/planetexternaldata

# file: /oracle/app/oracle/admin/planet/P2900AT/files/planetexternaldata
# owner: oracle
# group: SNB\planet-external-data-mt
user::rwx
group::r-x              #effective:r-x
group:SNB\planet-map-admin-mt:rwx               #effective:r-x
mask:r-x
other:r-x

There seems to be some kind of 'blip' where the domain/realm switches to 
MYGROUP temporarily and this confuses nscd, and possibly other things as well. 
(just a guess)
Comment 5 Brian King 2003-09-10 05:54:32 UTC 
I have not seen this re-occur since upgrading to newer CVS versions. Not sure 
exactly when it disappeared, or if it's just a very rare occurance. Close and 
I'll re-open if I ever see it again?
Comment 6 Gerald (Jerry) Carter (dead mail address) 2003-09-10 07:16:45 UTC 
assuming this is really for Samba 3.0
Comment 7 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:05:25 UTC 
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:15:37 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:24:20 UTC 
database cleanup